Single Sign-on Authentication
Single Sign-On (SSO) can be enabled in ThingWorx to allow mashups and applications built on the platform to participate in SSO scenarios involving other PTC products. ThingWorx supports the following protocols under the “Standard” IAM architecture constraints, only for the documented examples:
For authentication
SAML 2.0
For Cross-domain Identity Management
SCIM (1.1, 2.0)
For authorization, the following OAuth 2.0 token flows are used:
OAuth 2.0 authorization code flow - excluding PKCE support
OAuth 2.0 client credentials flow
Our “Standard” IAM architectures Central Auth Servers:
PingFederate
Azure AD B2C — serves as a Central Auth Server. May serve as Identity Provider
AD FS – serves as both the Central Auth Server and the Identity Provider
This section describes the configuration steps for enabling SSO in ThingWorx. You may need to consult with other PTC product administrators and identity provider administrators in your organization to configure other applications that are configured for SSO.
For more information, refer to PTC IAM help center.
For support, refer IAM support site.
SSO Capabilities Supported for PingFederate
SAML authentication
OAuth delegated authorization with ThingWorx as a Service Provider
ThingWorx as a Resource Server
SSO Capabilities Supported for Microsoft Entra ID
SAML authentication
OAuth delegated authorization with ThingWorx as a Service Provider
SSO Capabilities Supported for AD FS
SAML authentication
OAuth delegated authorization with ThingWorx as a Service Provider
SSO Capabilities Supported for Atlas IAM server
OIDC authentication
* 
If ThingWorx is configured with PTC Atlas IAM server, there is no need for configuration. ThingWorx is configured in PTC Cloud only for Windchill+ customers.
Was this helpful?