Single Sign-on Authentication
Single Sign-On (SSO) can be enabled in ThingWorx to allow mashups and applications built on the platform to participate in SSO scenarios involving other PTC products. ThingWorx supports the following protocols under the “Standard” IAM architecture constraints, only for the documented examples:
For authentication
• SAML 2.0
For Cross-domain Identity Management
• SCIM (1.1 , 2.0)
For authorization, the following OAuth 2.0 token flows are used:
• OAuth 2.0 authorization code flow - excluding PKCE support
• OAuth 2.0 client credentials flow
Our “Standard” IAM architectures Central Auth Servers:
• PingFederate
• Microsoft Entra ID – serves as both the Central Auth Server and the Identity Provider
• AD FS – serves as both the Central Auth Server and the Identity Provider
For more information about “Standard” IAM architectures, refer to PTC IAM policy.
This section describes the configuration steps for enabling SSO in ThingWorx. You may need to consult with other PTC product administrators and identity provider administrators in your organization to configure other applications that are configured for SSO.
For more information, refer to PTC IAM help center.
For support, refer IAM support site.
SSO Capabilities Supported for PingFederate
• SAML authentication
• OAuth delegated authorization with ThingWorx as a Service Provider
• ThingWorx as a Resource Server
SSO Capabilities Supported for Microsoft Entra ID
• SAML authentication
• OAuth delegated authorization with ThingWorx as a Service Provider
SSO Capabilities Supported for AD FS
• SAML authentication
• OAuth delegated authorization with ThingWorx as a Service Provider
SSO Capabilities Supported for Atlas IAM server
• OIDC authentication
 |
If ThingWorx is configured with PTC Atlas IAM server, there is no need for configuration. ThingWorx is configured in PTC Cloud only for Windchill+ customers.
|