Create PingFederate Connections
In PingFederate, create client endpoints to which applications in your SSO solution connect when obtaining or verifying access tokens or authenticating users. It is recommended that you create a separate client for each role that an application will perform within your SSO solution. This allows you to fine-tune the settings within the client for that role.
For ThingWorx SSO, the following clients need to be created in PingFederate:
• SP Connection for ThingWorx as a service provider
• OAuth Client for ThingWorx as a service provider
For in-depth information about creating and configuring PingFederate connections, refer to PingFederate documentation or contact PingIdentity customer support. The following procedures contain settings that are required for ThingWorx SSO; however, additional settings may be required for the SSO solution for your enterprise.
SP Connection for ThingWorx as Service Provider
This connection is used for SAML authentication. ThingWorx directs user login requests to PingFederate.
1. On the IDP Configuration page, select SP Connections, and click Create New.
2. In the Connection Type section, select Browser SSO Profiles to specify the SAML 2.0 protocol.
3. In the Connection Options section, select Browser SSO.
4. In the General Info section, perform the following steps:
a. Set Partner’s Entity ID (Connection ID) to a unique value. Make note of this ID because you will use it when configuring the sso-settings.json file.
b. Provide a descriptive name for the Connection Name field. This is the name that is displayed in the SP Connection list.
c. Set Base URL to the URL where your web application (ThingWorx) service provider is hosted.
5. In the Protocol Settings section, set the Assertion Consumer Service URL Endpoint to URL:/Thingworx/saml/SSO.
6. In the Credentials section, set Digital Signature Settings to Selected Certificate.
7. In the Signature Verification section, add a certificate for:
◦ Signature Verification Certificate: Selected Certificate
◦ Signature Verification Certificate: Selected Encryption Certificate
◦ Select XML Encryption Certificate: Selected Encryption Certificate
8. Confirm that the new service provider is active. View the SP Connection. A radio button indicator at the top of the Activation & Summary page should be set to Active.
9. Click Save.
PingFederate uses a mechanism called a policy contract to bridge connections between service providers and the identity provider that PingFederate relies on. You will need to create a policy contract for this SP Connection. When you do so, list any attributes that should be exchanged in the SAML assertions.
For more information, refer to the
Configuring Authentication for Third-Party IdPs Manually topic in the PTC Identity and Access Management Help Center.
OAuth Client for ThingWorx as Service Provider
The OAuth client is a connection point for PingFederate to provide access tokens to ThingWorx. ThingWorx uses these access tokens to request OAuth-protected resources from resource servers.
To create and configure an OAuth Client for
ThingWorx as a Service Provider, Refer to the
Creating OAuth Client Connection for ThingWorx topic in the PTC Identity and Access Management Help Center.