ThingWorx Model Definition in Composer > Security > Single Sign-on Authentication > Using AD FS as a Central Auth Server and an Identity Provider
Using AD FS as a Central Auth Server and an Identity Provider
ThingWorx 9.2, 9.1.4, 9.0.9, and later support AD FS acting as both the Central Auth Server (CAS) and the Identity Provider (IdP) to manage SSO-enabled products. Thus, a user is able to access data from their application, and use it in their session in ThingWorx.
In this SSO architecture, ThingWorx sends SAML requests for user authentication to AD FS. AD FS verifies the authenticity of the user credentials and sends an assertion to ThingWorx authorizing the user login.
AD FS also manages the trust relationship between ThingWorx and the resource providers from which ThingWorx retrieves data. AD FS generates access tokens which ThingWorx includes in requests for data from resource providers. Resource providers rely on AD FS to verify the authenticity of the access tokens. This scenario is called delegated authorization because the user is authorizing ThingWorx to obtain their data from a resource provider. The access tokens exchanged between ThingWorx, AD FS, and other PTC products use the OAuth protocol.
Before you proceed, make sure you read through the PTC Identity and Access Management Help Center. This Help Center provides an overview of single sign-on and related terminologies as well as detailed information on configuring AD FS. It also provides the following examples of single-sign on configurations:
Configuring Authentication with AD FS
Configuring Authorization with AD FS
Was this helpful?