Using AD FS as a Central Auth Server and an Identity Provider
ThingWorx 9.2, 9.1.4, 9.0.9, and later support AD FS acting as both the Central Auth Server (CAS) and the Identity Provider (IdP) to manage SSO-enabled products. Thus, a user can access data from their application and use it in their session in ThingWorx.
In this SSO architecture, ThingWorx sends SAML requests for user authentication to AD FS. AD FS verifies the authenticity of the user credentials and sends an assertion to ThingWorx authorizing the user login.
AD FS also manages the trust relationship between ThingWorx and the resource servers from which ThingWorx retrieves data. AD FS generates access tokens which ThingWorx includes in requests for data from resource providers. Resource servers rely on AD FS to verify the authenticity of the access tokens. This scenario is called delegated authorization because the user is authorizing ThingWorx to obtain their data from a resource server. The access tokens exchanged between ThingWorx, AD FS, and other PTC products use the OAuth protocol.
Before you proceed, make sure you read through the
PTC Identity and Access Management Help Center. This Help Center provides an overview of single sign-on and related terminologies as well as detailed information on configuring AD FS. It also provides the following examples of single-sign on configurations: